I'm running CentOS 8, hosting mail and web on one server, and have successfully installed a regular certificate covering my domain example.com and www.example.com
I'd assume I need to combine a wildcard certificate along with the installed regular certificate.
Is this possible? I did some google searching and to my surprise I didn't see much regarding this, even though it seems like an obvious thing many people would want to do.
When I setup the certificate, it offered me two options, a regular certificate covering www.example.com and example.com, and a wildcard certificate but it specifically said it covered *.example.com but NOT example.com.
a wildcard certificate is a certificate that covers one or more names starting with *. and that will be accepted by a web browser for any subdomain name with any label in place of the * character. for example, a certificate for *.example.com will be valid for www.example.com, mail.example.com, hello.example.com, or goodbye.example.com, but not for example.com."
That's an explanation about how the wildcard hostname works. However, it does not directly say it's impossible to include example.com into the certificate too. That might be an oversight of the documentation though. To be honest, it should also explain the fix: just add example.com too I'll see if I can open a Github issue for it.
Well it's all very confusing, I can see these types of issues hindering the stated goal of 'encrypting the web 100%!"
So I guess the question is how exactly can I expand my existing certificate to include mail.example.com, or how do I add another certificate along with my existing one?
I looked over the ssl.conf in the apache conf.d directory, but I didn't see letsencrypt's certificates referenced there. Certbot works in a way I haven't figured out yet..
Depends on how you got the certificate in the first place. Could you share the exact command you've used to get the certificate?
Oh, they are referenced in there somewhere If you have used certbot to install the certificates, it would have copied the VirtualHost section into its own file suffixed by -le-ssl.conf.
OK, so that would mean you've used the apache plugin for authentication as wel as for installing. We can work with that
You should be able to run certbot --apache again. It should give you the same question again: which hostnames would you like to certify.. Or something like that. It should be possible to select example.com, www.example.com and mail.example.com. Now.. If your certbot is new enough it should ask you if you'd like to expand the current certificate. That means you'll get a single certificate with all the three the hostnames in it.
It's also possible however, it generates a new certificate along side of your previous one. This isn't bad, strictly speaking, but it is very confusing. But nothing we can fix later
So I'd suggest to run the certbot command just again and see what it asks
Oh I see. Makes more sense now, I missed seeing the le-conf.ssl file
I'd hope I could just install another certificate (cert only download) with certbot and manually just add the second certificate below the first one in that file. I'm sure it wouldn't be that easy though, of course (nothing is).
Just saw your reply. reading now. Thanks for the help!
Well, that's possible too, of course. And isn't that hard. But I'm wondering why you might do that, when certbot should be able to do it for you?
You can generate a separate certificate for your mail subdomain if you'd like. Just select only that hostname when certbot asks you for the hostnames you want a certificate for.
Do you want to expand and replace this existing certificate with the new
certificate?
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mail.decisionconcepts.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/
We'll I'll be. Amazing. I was prepared for a lot of nonsense.
except I restarted apache and it's not securing my mail.example.com site. hmm
I don't think so.. Might be something what is working perfectly in the current version of certbot. You're using your OS distro package manager.. They often lag behind tremendously.
You can add the redirect manually (just look what certbot put in the configuration file for the HTTP virtualhost of your main site and copy/paste it, while not forgetting to modify the hostname it looks for), or you might let certbot do it.. Not sure how though.. Perhaps by running certbot install --redirect --apache and select the three hostnames again. It should ask you something like "You already have a certificate, would you like to re-issue it? (no, you don't want to..) or to reinstall it? (yes, you want that)". But not sure what happens to be honest I've never worked with certbot install before.
I'll see if I can open a Github issue for it.
If you have used certbot to install the certificates, it would have copied the VirtualHost section into its own file suffixed by 
